Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.
"Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a "wake-up call" for developers of web password vaults.
"Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a userÃ­s credentials for arbitrary websites," Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The EmperorÃ­s New Password Manager: Security Analysis of Web-based Password Managers (PDF).